Generate default key file with west ncs-provision, enable automatic KMU provisioning

[gchwier]

Updated manifest to sdk-zephyr.
Changes in zephyr allows to provision KMU keys with west flash command, if keyfile.json (generated by west ncs-provision) is in build directory.

Changes in sdk-nrf:
Introduced the capability to automatically generate
the keyfile.json during the build process for nRF54L series devices.
Added new Kconfigs:

• SB_CONFIG_SECURE_BOOT_GENERATE_DEFAULT_KMU_KEYFILE
• SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE
  to control creating keyfile.json during the build process.
  Creating keyfile.json is implemented in generate_default_keyfile.cmake.

Additionally updated tests on nrf54l15dk:

• tests/subsys/bootloader/boot_chains
• tests/subsys/kmu/hello_for_kmu

To test is manually on nrf54l15dk:
hello world + NSIB

west build -p -b nrf54l15dk/nrf54l15/cpuapp $ZEPHYR_BASE/samples/hello_world  -d build-54l-nsib -- \
-DSB_CONFIG_SECURE_BOOT_APPCORE=y \
-DSB_CONFIG_SECURE_BOOT_GENERATE_DEFAULT_KMU_KEYFILE=y

west flash --skip-rebuild --erase -d build-54l-nsib

MCUboot (with KMU enabled)

west build -p -b nrf54l15dk/nrf54l15/cpuapp $ZEPHYR_BASE/samples/hello_world -d build-54l-mcuboot_kmu -- \
-DSB_CONFIG_BOOTLOADER_MCUBOOT=y \
-DSB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y \
-DSB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE=y

west flash --skip-rebuild --erase -d build-54l-mcuboot_kmu 

hello world + NSIB + MCUboot

west build -p -b nrf54l15dk/nrf54l15/cpuapp $ZEPHYR_BASE/samples/hello_world  -d build-54l-nsib_mcuboot -- \
-DSB_CONFIG_SECURE_BOOT_APPCORE=y \
-DSB_CONFIG_BOOTLOADER_MCUBOOT=y \
-DSB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y \
-DSB_CONFIG_SECURE_BOOT_GENERATE_DEFAULT_KMU_KEYFILE=y \
-DSB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE=y

west flash --skip-rebuild --erase -d build-54l-nsib_mcuboot

To run Twister tests:

$ZEPHYR_BASE/scripts/twister \
-c -vv -ll debug \
--device-testing -p nrf54l15dk/nrf54l15/cpuapp --device-serial /dev/ttyACM1 --west-flash="--recover" \
-T tests/subsys/bootloader/boot_chains

$ZEPHYR_BASE/scripts/twister \
-c -vv -ll debug \
--device-testing -p nrf54l15dk/nrf54l15/cpuapp --device-serial /dev/ttyACM1 --west-flash="--recover" \
-T tests/subsys/kmu/hello_for_kmu \
-s mcuboot.kmu.west_flash_default_provision \
-s mcuboot.kmu.west_flash_default_provision_with_b0

[NordicBuilder]

The following west manifest projects have changed revision in this Pull Request:

Name	Old Revision	New Revision	Diff

✅ All manifest checks OK

Note: This message is automatically posted and updated by the Manifest GitHub Action.

[NordicBuilder]

CI Information

^{To view the history of this post, clich the 'edited' button above}
Build number: 21

Inputs:

Sources:

sdk-nrf: PR head: 590b59e906d382279c2c5e5fbdd786d63771481a

more details

sdk-nrf:

PR head: 590b59e906d382279c2c5e5fbdd786d63771481a
merge base: 768c10ecd3942bb25934b45526348d708ab6b6db
target head (main): c0042f741d7539769b08df7ad2d57c57b9ce5494
Diff

Github labels

Enabled	Name	Description
	ci-disabled	Disable the ci execution
	ci-all-test	Run all of ci, no test spec filtering will be done
	ci-force-downstream	Force execution of downstream even if twister fails
	ci-run-twister	Force run twister
	ci-run-zephyr-twister	Force run zephyr twister

List of changed files detected by CI (7)

cmake
│  ├── sysbuild
│  │  │ generate_default_keyfile.cmake
sysbuild
│  ├── CMakeLists.txt
│  ├── Kconfig.mcuboot
│  │ Kconfig.secureboot
tests
│  ├── subsys
│  │  ├── bootloader
│  │  │  ├── boot_chains
│  │  │  │  ├── Kconfig.sysbuild
│  │  │  │  │ testcase.yaml
│  │  ├── kmu
│  │  │  ├── hello_for_kmu
│  │  │  │  │ testcase.yaml

Outputs:

Toolchain

Version: 3ae5dc3c63
Build docker image: docker-dtr.nordicsemi.no/sw-production/ncs-build:3ae5dc3c63_776d264d2e

Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped; ⚠️ Quarantine

• ◻️ Toolchain - Skipped: existing toolchain is used
• ✅ Build twister - Skipped: Skipping Build & Test as it succeeded in a previous run: 19
• ✅ Integration tests
  • ✅ test-sdk-audio - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ desktop52_verification - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-boot - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-apps - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-ble_mesh - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-ble_samples - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-chip - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-nfc - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-nrf-iot_cloud - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-nrf-iot_libmodem-nrf - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-nrf-iot_serial_lte_modem - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-nrf-iot_zephyr_lwm2m - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-nrf-iot_samples - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-nrf-iot_lwm2m - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ doc-internal - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-nrf-iot_thingy91 - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-nrf_crypto - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-rpc - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-rs - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-fem - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-tfm - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-thread-main - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-sdk-find-my - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-nrf_lrcs_mosh - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-nrf_lrcs_positioning - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-sdk-wifi - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-low-level - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-sdk-pmic-samples - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-sdk-mcuboot - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-secdom-samples-public - Skipped: Job was skipped as it succeeded in a previous run
  • ⚠️ test-fw-nrfconnect-fw-update

Note: This message is automatically posted and updated by the CI

[github-actions]

You can find the documentation preview for this PR here.

[NordicBuilder]

Memory footprint analysis revealed the following potential issues

applications.hpf.gpio.icbmsg[nrf54l15dk/nrf54l15/cpuflpr]: High RAM usage: 12430[B] - link (cc: @nrfconnect/ncs-ll-ursus)
applications.hpf.gpio.icbmsg[nrf54l15dk/nrf54l15/cpuflpr]: High ROM usage: 9178[B] - link (cc: @nrfconnect/ncs-ll-ursus)
applications.hpf.gpio.icmsg[nrf54l15dk/nrf54l15/cpuflpr]: High RAM usage: 9090[B] - link (cc: @nrfconnect/ncs-ll-ursus)
applications.hpf.gpio.icmsg[nrf54l15dk/nrf54l15/cpuflpr]: High ROM usage: 5846[B] - link (cc: @nrfconnect/ncs-ll-ursus)
applications.hpf.gpio.icbmsg[nrf54l15dk/nrf54l15/cpuflpr]: High RAM usage: 12430[B] - link (cc: @nrfconnect/ncs-ll-ursus)
applications.hpf.gpio.icbmsg[nrf54l15dk/nrf54l15/cpuflpr]: High ROM usage: 9178[B] - link (cc: @nrfconnect/ncs-ll-ursus)

Note: This message is automatically posted and updated by the CI (latest/sdk-nrf/PR-22516/19)

[nordicjm]

squash into previous commit

[nordicjm]

as above

[nordicjm]

Suggested change

	if(DEFINED SB_CONFIG_SECURE_BOOT_SIGNING_KEY_FILE AND NOT "${SB_CONFIG_SECURE_BOOT_SIGNING_KEY_FILE}" STREQUAL "")
	if(SB_CONFIG_SECURE_BOOT_SIGNING_KEY_FILE)

[nordicjm]

use variables directly rather than creating these

[nordicjm]

alignment

[gchwier]

Rebased and removed sdk-zephyr manifest (merged with other PR)

[nordicjm]

don't like that this throws an error, which means users can't recover from it, but actually seems this is already done in debug_keys.cmake, which oddly means that this will never actually run anyway because the same failure will occur there first, so will allow it